Criminals exploit net phone calls

Malicious hackers are turning to net phone systems in a bid to trick people into handing over personal details.

Security firms have identified several scams in which net phone systems are harnessed to try to catch out potential victims.

In one con people are called about supposed fraudulent activity on their credit card.

So far few people have been caught out but security firms expect the number of scams to grow.

Call barring

Many hi-tech criminals currently use e-mail as the sole method of delivering spam, as well as viruses and phishing messages - in which an e-mail and/or website purports to be that of a bank or financial institution.

Others are harnessing newer technologies to find and catch out fresh victims.

Some criminals are now using net phone systems in a bid to make their come-ons look more legitimate and convince people to hand over useful details such as credit card numbers, bank account details or personal information.

Have you been a target of vishing?

The scam has been dubbed "vishing" because, like phishing, its practitioners pose as banks and other financial institutions but use Voice over IP (Voip) technology.

One recent con spotted by security firm WebSense put an 0800 number in an e-mail message spammed out to users asking them to call and update their bank details.

On calling the number users hear a recorded voice asking them to enter their account number using the phone's touch pad.

Anti-virus firm Sophos has also come across a combined e-mail and phone scam aimed at net payments service PayPal which also asks people to phone to update or confirm their account information.

Secure Computing has found a more sophisticated scam that avoids e-mail altogether. Instead the criminals behind this scam have programmed computers to dial a long list of phone numbers and play a recorded message to anyone that answers.

The recorded message warns that a person's credit card has been used fraudulently and asks them to enter their card number. Significantly, those responding are also asked for the security number found on the rear of the card.

The scam is lent legitimacy because net phone technology makes it easy to fake the number someone is calling from.

Warning call

Paul Henry, a spokesman for Secure Computing, said the scam might succeed because although people were suspicious of e-mail few would suspect a phone call about a credit card problem.

Common sense is the first line of protection," said Mr Henry. "Anyone who is called by a bank should take the appropriate steps to protect their personal information and their bank account."

Mr Henry said if a bank or credit card company rang a customer it would have knowledge of some personal details about who it was calling. He urged people to be suspicious of any call that is ignorant of these basic personal details such as first and last name. Anyone receiving such a call should report it to their bank, he said.

Alan Nunn, chief technology officer of Newport Networks which sells Voip technology, said in its early days phishing succeeded because people did not know about its dangers.

"We've fixed that partially through educating users," he said, adding that the same needed to be done with the new scams.

But, he added, net firms would increasingly have to take some trouble inside their own networks to tackle security problems.

Many net service firms already use a blacklist of internet addresses known to be senders of spam. Similar lists could be circulated of places hosting vishing scams so any call from them is blocked before it reaches a user.

But, admitted Mr Nunn, just as with anti-virus firms and virus writers an "arms race" was likely to develop between the firms trying to stop the scams proliferating and those trying to harvest new victims.

"I suspect the criminals are in the experimentation phase at the moment," said Mr Nunn, "But I also suspect there's real fraud going on out there too."